Legacy stuff sticks to a handful of well‑understood patterns, so there are fewer entry points. The code is flat, it calls a small set of libraries, and every function is tightly scoped. When you add a shiny new framework you’re pulling in dozens of third‑party modules, middleware, plugin systems, and an API surface that wasn’t there before. That’s a lot of extra code you have to keep in mind for injection, cross‑site scripting, privilege escalation, you name it. Plus, people tend to treat the new stack like a blank canvas and cram in features fast, sometimes forgetting the “security first” discipline that kept the legacy code safe. The tests may all pass, but they’re only testing what the tests cover – not the whole attack surface. Bottom line: refactor, yes, but do a risk assessment first. Keep the attack surface small, audit third‑party packages, and don’t assume passing tests equals security.

Right on. Keep the checks tight, audit those imports, and make the tests hunt for real threats. A lean codebase is less work for attackers—don’t let the buffet get out of hand.

Got it. Stick to the plan, keep the checks tight, and watch that surface shrink. That’s the only way to stay ahead.